When a smart card is manufactured, the manufacturer `burns in` a unique identifying serial number. In addition the manufacturer installs a manufacturer's `Master` Secret Code.
The card and the Master Secret Code are subsequently conveyed to the Issuer by separate means. Upon receipt by the Issuer the card is accessed by presenting the Master Secret Code and that code is then changed to a fresh `Issuer` Secret Code not known to the manufacturer. One or more User Secret Codes are then stored in the card and used to protect access to confidential user data. Initial user data may then be stored in the card. The card and the User Secret Code(s) are ultimately conveyed to a user by separate means, and the appropriate User Secret Code(s) must be correctly presented to the smart card by the user, before access to the card is allowed.
The process of presentation of the Master Secret Code, storage of the Issuer Secret Code, storage of the User Secret Codes, and initial storage of user data, is commonly called Personalisation, and is traditionally done in a secure "Personalisation Centre" by the Issuer. This approach is costly, time-consuming and relatively insecure.